The Fullerton Hotel Sydney

Summary

The Fullerton Hotel Sydney suffered a ransomware attack on 24 March 2025, with the Akira ransomware gang claiming to have stolen over 148 gigabytes of data. The breach exposed sensitive guest and employee information including passports, driver licences, Medicare IDs, credit card details, and business records. The incident was isolated to the Sydney property and did not affect sister hotels in Singapore or Hong Kong.

What Happened

On 24 March 2025, the Akira ransomware gang targeted The Fullerton Hotel Sydney, gaining unauthorised access to hotel systems and exfiltrating data. On 8 April 2025, Akira listed The Fullerton Hotels and Resorts on its darknet leak site, threatening to publish over 148 gigabytes of stolen information. The attackers claimed to have accessed confidential files including non-disclosure agreements, contracts, identification documents, financial records, employee records, and guest information.

Impact on Individuals

The breach exposed highly sensitive personal information of hotel guests and employees, including names, dates of birth, phone numbers, physical addresses, passport details, driver licence numbers, and Medicare IDs. A small number of hotel guests had their credit card details compromised. The luxury hotel's clientele and staff had extensive personal and financial information exposed through the attack.

Organisational Response

The Fullerton Hotel Sydney's investigation confirmed that an unauthorised person gained access to and exfiltrated employee records and credit card details of a small number of guests. The hotel reported the incident to the Office of the Australian Information Commissioner. The organisation confirmed that the breach was limited to the Sydney property and did not affect The Fullerton Hotels and Resorts properties in Singapore or Hong Kong.